我编写了一个函数,它使用 PDO 从我的数据库中选择所有用户和所有对应的字段。我还允许该函数将数组作为参数,以便于过滤。我的问题是当我将过滤器数组传递给执行函数时,我没有从我的表中获取任何行。我知道它与 PDO 以及我将数组传递给它的方式有关,因为当我使用硬编码到查询中的过滤器运行 execute 方法时,它会起作用。这是我的函数和调用它的代码:
$config = array(
'filters' => array(
'all members' => array('', ''),
'officers' => array('statuses.position_id', '8'),
'current members' => array('users.alumni', 0)
)
);
$filter = $config['filters'];
//Requested filter is just a constant used to keep track of the parsed $_GET value
$result = $dbh->getUsers($filter[REQUESTED_FILTER]);
//Just showed function, not whole class
public function getUsers(array $filter = array('', '')) {
$result = array();
$sql = 'SELECT users.firstname, users.lastname, users.grad_year, users.alumni, users.signedISA, phone_numbers.phone_number, emails.email_address,
addresses.name, addresses.street, addresses.city, addresses.state, addresses.zip
FROM
((users LEFT JOIN phone_numbers
ON users.user_id = phone_numbers.user_id)
LEFT JOIN emails
ON users.user_id = emails.user_id)
LEFT JOIN addresses
ON users.user_id = addresses.user_id
WHERE ? = ?;';
$sth = $this->handle->prepare($sql);
if($sth->execute($filter)) {
while($row = $sth->fetch(PDO::FETCH_ASSOC)) {
array_push($result, $row);
}
}
return $result;
}
有人知道为什么这不起作用吗?
最佳答案
您不能将模式对象标识符(如表名或列名)作为参数传递给准备好的语句(您当前的尝试总是比较 WHERE
子句中的参数化字符串文字)。
相反,您需要执行以下操作:
public function getUsers(array $filter = array('\'\'', '')) {
$result = array();
$sql = 'SELECT users.firstname, users.lastname, users.grad_year, users.alumni, users.signedISA, phone_numbers.phone_number, emails.email_address,
addresses.name, addresses.street, addresses.city, addresses.state, addresses.zip
FROM
((users LEFT JOIN phone_numbers
ON users.user_id = phone_numbers.user_id)
LEFT JOIN emails
ON users.user_id = emails.user_id)
LEFT JOIN addresses
ON users.user_id = addresses.user_id
WHERE ' . $filter[0] . ' = ?;';
$sth = $this->handle->prepare($sql);
if($sth->execute($filter[1])) {
while($row = $sth->fetch(PDO::FETCH_ASSOC)) {
array_push($result, $row);
}
}
return $result;
}
如果 $filter
的值不在您的控制范围内,请注意 SQL 注入(inject)(您需要使用反引号引用标识符并将其中包含的任何反引号加倍:确保您在一种多字节安全的方式!)。
关于php - PDO 执行不会正确注入(inject)数组值,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12433828/